In September 2022, the draft Personal Data Protection Bill was ratified by the House of Representatives (DPR) of the Republic of Indonesia to be a Law that was further ratified and signed by the President of the Republic of Indonesia and promulgated on 17 October 2022. Therefore, since Law Number 27 of 2022 on Personal Data Protection (“PDP Law“) has been ratified and promulgated, the PDP Law has been in effect and has binding legal force for everyone, including legal entities within the jurisdiction of the Republic of Indonesia.
With the promulgation of the PDP Law, Indonesia has specific provisions to protect personal data, considering that previously the arrangements regarding personal data were scattered in several laws and regulations.
The PDP Law consists of 16 (sixteen) Chapters and 76 (seventy-six) Articles that regulate the types of personal data that are protected and efforts to protect personal data including legal consequences that can be imposed in the event of a violation of the provisions of the PDP Law.
- Subject of the PDP Law
The PDP Law has clearly regulated the subjects that should comply with this rule, among others:
- Corporation whether in the form of a legal entity or non legal entity;
- Public Agency ; and
- International Organisation.
Subjects of the PDP Law can perform the role of Personal Data Controller or Personal Data Processor who are obliged to carry out this role in accordance with the terms and conditions stipulated in the PDP Law, namely in Articles 19 to 56 of the PDP Law.
The binding force of this PDP Law applies to legal subjects who carry out legal actions within the jurisdiction of the Republic of Indonesia and outside the jurisdiction of the Republic of Indonesia, but has legal consequences in the jurisdiction of the Republic of Indonesia and/or for Personal Data Subjects who are Indonesian citizens outside the jurisdiction of the Republic of Indonesia.
Then, the PDP Law has regulated the presence of a new agency (“Personal Data Protection Agency“) that will be established by the President and has direct responsibility to the President.
- Object of the PDP Law
The main object protected in the PDP Law is Personal Data. Under Article 1 point 1 of the PDP Law, what is referred to by Personal Data are data regarding individuals who are identified or can be identified separately or in combination with other information, either directly or indirectly through an electronic or non-electronic system. Classification of Personal Data in accordance with this law is divided into 2 (two), namely:
- Specific Personal Data, which includes :
- Health data and information;
- Biometric data;
- Genetic data;
- Crime records;
- Child data;
- Personal financial data; and/or
- Other data in accordance with provisions of laws and regulations.
- Personal Data that is general in nature, which includes :
- Full Name;
- Marital status; and/or
- Combined Personal Data to identify a person.
In addition to Personal Data, the PDP Law also regulates the rights owned by a Personal Data Subject regarding the Personal Data he/she owns, whether used or not used by a Personal Data Controller and Personal Data Processor, as regulated in Articles 5 to 15 of the PDP Law. One of the rights regulated in this law is regarding the granting of consent by the owner of the Personal Data. The PDP Law has clearly regulated that in the case of a Personal Data Controller and Personal Data Processor using Personal Data belonging to a Personal Data Subject, the Personal Data Controller and Personal Data Processor is required to obtain prior approval from the relevant Personal Data Subject before processing the Personal Data, and the Personal Data Subject has the right to withdraw the consent it has given. The consent given by the Personal Data Subject must be made in writing or recorded which can be delivered electronically or non-electronically.
The PDP Law also regulates the obligations of a Personal Data Controller and Personal Data Processor as in Articles 19 to 56 of the PDP Law, which are benchmarks for evaluating the performance of a PDP Law Subject who acts as a Personal Data Controller and Personal Data Processor. One of the obligations regulated is the obligation to appoint officials or officers who have duties to carry out the Personal Data Protection function which the official may or may not originate from the Personal Data Controller or Personal Data Processor .
- Prohibitions under the PDP Law
The PDP Law has clearly regulated prohibitions on the use of Personal Data, which are contained in Articles 65 and 66. Article 65 of the PDP Law regulates the prohibition of obtaining, collecting, disclosing and using Personal Data that does not belong to one person unlawfully.
The most important limitation in this Article is the phrase “unlawfully” because the PDP Law has regulated the terms and conditions that must be met and carried out to obtain, collect, disclose, and use Personal Data belonging to a Personal Data Subject, so that if the action is not carried out in accordance with provisions of the PDP Law, it can be categorized as taking action unlawfully because it has violated the PDP Law itself.
Then, Article 66 of the PDP Law regulates the prohibition of creating fake Personal Data or falsifying Personal Data belonging to other Personal Data Subjects.
- Dispute Resolution under the PDP Law
Dispute resolution under the PDP Law can be carried out through arbitration forums, courts, or other alternative dispute resolution institutions that apply in accordance with provisions of laws and regulations. The procedural law used in the dispute resolution process is the applicable procedural law in accordance with the provisions of the laws and regulations.
Dispute resolution through the courts can be carried out under criminal cases by making a report to the Police or to an Agency or under civil cases by filing a claim under Article 12 of the PDP Law in accordance with the applicable procedural law. The legal proceedings in dispute resolution cases on Personal Data Protection is carried out in private to protect the Personal Data in dispute.
- Sanctions under the PDP Law
The PDP Law has regulated administrative sanctions that can be imposed by the Personal Data Protection Agency on a Personal Data Controller and Personal Data Processor in terms of not carrying out his/her duties and obligations in accordance with the applicable provisions of the PDP Law. Administrative Sanctions that may be given may take the following form:
- Written reprimand;
- Temporary suspension of Personal Data processing activities;
- Erasure or removal of Personal Data; and/or
- Administrative fines.
Then, in addition to administrative sanctions, the PDP Law has clearly regulated criminal provisions in the event of a crime against Articles 65 and 66 of the PDP Law. The criminal threat stipulated in the PDP Law in the event of a crime against Article 65 of the PDP Law is punishable by a maximum imprisonment of 5 (five) years and/or a maximum fine of Rp.5,000,000,000 (five billion rupiah). Meanwhile, in the event of a crime against Article 66 of the PDP Law, it is punishable by imprisonment for a maximum of 6 (six) years and/or a fine of up to Rp.6,000,000,000 (six billion rupiah).
The PDP Law also stipulates separately in terms of criminal acts committed by corporations which stipulates that responsibility for these crimes may be imposed on management, control holders, givers of orders, beneficial owners, and/or Corporations.. With this provision, the accountability for criminal acts under the PDP Law committed by a Corporation has been expanded, not only being asked to Corporations, but can be asked to the management.
Article 70 Paragraphs (2) and (3) of the PDP Law stipulates that if the punishment that can be imposed on Corporations is only fines that are imposed with a nominal value of at most 10 (ten) times the maximum fine that is threatened as in Articles 67 and 68 of the PDP Law. Therefore, it can be concluded that the responsibility for criminal acts with jail punishments of the PDP Law by Corporations can be imposed on management, control holders, givers of orders, beneficial owners, in the form of fines and/or imprisonment, while for Corporations only in the form of fines.
In addition to the main criminal threat, there are additional penalties that can be given to convicts in the form of confiscation of profits and/or assets obtained or proceeds from crimes and payment of compensation. Meanwhile, for the convict of the Corporation, the additional punishment that can be imposed is in the form of:
- confiscation of profits and/or assets obtained or proceeds from crimes;
- suspension of the entire or part of the Corporation’s business;
- permanent prohibition of doing certain actions;
- shutdown of the entire or part of the Corporation’s place of business and/or activities;
- fulfill the obligations that have been neglected;
- payment of compensation;
- revocation of license; and/or
- dissolution of the Corporation.
The existence of additional punishments regulated in the PDP Law broadens the scope of the meaning of additional crimes as in Article 10 of the Criminal Code which regulates additional punishments in the form of (i) revocation of certain rights, (ii) confiscation of certain items, (iii) announcement of judge’s decision.
Then, regarding the implementation of criminal penalties in terms of the punishment imposed in the form of criminal fines both to individuals and to Corporations, it has been clearly regulated if the fines imposed must be paid within 1 (one) month after the decision is final and binding and the period can be extended for a maximum of 1 (one) month. If the convict fails to pay the fine, then the assets or proceeds belonging to the convict can be confiscated and auctioned off by the prosecutor for additional punishment in the form of the fine.
Based on the explanation above, the author is of the view that the current government regime’s serious efforts to provide legal protection for personal data through the implementation of the PDP Law provide hope and optimism against the threat of personal data abuse that is rife in Indonesia. Hopefully this fresh air can be implemented soon with the issuance of implementing instruments in the form of government regulations and presidential regulations that are clear, comprehensive and practical to implement.